In response to DR reports that a glitch in the TastSelv Borger tax service has sent over one million Danish CPR numbers to the US companies Google and Adobe, cybersecurity experts commented below.
In response to DR reports that a glitch in the TastSelv Borger tax service has sent over one million Danish CPR numbers to the US companies Google and Adobe, cybersecurity experts commented below.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
Whether or not Google had visibility into the CPR numbers for Danish residents, which have similar identification capabilities here in the U.S., it\’s important to monitor your accounts and tax returns. If a criminal hacker were to be in possession of a Danish CPR, they could file taxes on behalf of the person and essentially steal their tax return, similar to the types of attacks that happen in the U.S. Similarly, in the U.S., it\’s becoming strongly apparent that everyone needs to monitor all critical identifiable information about themselves to prevent fraud or identity theft. Monitoring services are available and should be used to effectively to review the activity of one\’s own social security number, social insuarnce number if you\’re in Canada or the CPR number in Denmark.
Organizations need to thoroughly test and verify all capabilities and updates when encrypting and transmitting any personal sensitive information from one entity to another to ensure that additional vulnerabilities are not created. While as consumers, there is an expectation of a certain level of protection and privacy, vigilance towards monitoring your accounts, tax returns and credit information is needed in today\’s day and age more than ever to protect yourself and your credit.
There are a number of things that make a data breach like this one alarming. The CPR (the civil registration number that every Danish citizen is required to have) is valuable data for hackers, as it identifies individuals and is used to access government services. The other part is that the data was exposed for such a long time, which makes it extremely difficult to investigate how it occurred, who had access to this data and how it was potentially used.
For data to be exposed for such a long time, there has to be a serious flaw in the security processes and governance. A review of these, including vulnerability management and awareness programs, should be done to prevent this from happening again.
I assume the Danish Data Protection Agency will look into this and if the breach at Taxa 4×35 of last year is any indication, there will be heavy fines to pay.